Kilton Public Library in Lebanon, New Hampshire, the “Live Free or Die” state, is the first library in the nation to make use of Tor, an anonymizing technology. And that did not sit well with the Department of Homeland Security. The agency (via the local police) asked the Kilton Public Library board to shut down their Tor server, to which the board members said no.
In the Phys.org article, Browse free or die? New Hampshire library is at privacy fore, Lynne Tuohy quotes Alison Macrina, founder and director of the Library Freedom Project, as saying, “Kilton’s really committed as a library to the values of intellectual privacy. In New Hampshire, there’s a lot of activism fighting surveillance. It’s the ‘Live Free or Die’ place, and they really mean it.”
All for naught
However, the Library Freedom Project test pilot at Kilton appears to be an exercise in futility. The FBI has proven to be very capable in finding ways to bypass any anonymity provided by the Tor Network. Case in point, the FBI is fighting a court order to explain how the agency is able to sidestep Tor.
As to how FBI agents are able to compromise Tor, researchers at Technische Universitat Darmstadt have a pretty good idea. According to the team’s research paper Selfrando: Securing the Tor Browser against De-anonymization Exploits (PDF), the FBI themselves or with help from a third party found and exploited a weakness in the Tor Browser (software used to access the Tor Network).
The vulnerability is there because Address Space Layout Randomization (ASLR)—which is needed to prevent exploitation of memory corruption vulnerabilities—was not incorporated into the Tor Browser. As to why, the authors add that ASLR suffers from one or more drawbacks, thus the computer-security technique was not used.
Selfrando to the rescue
From the title of the research team’s paper, one can surmise that Selfrando has something to do with the solution. The paper mentions, “Selfrando is an enhanced and practical load-time randomization technique for the Tor Browser that defends against exploits, such as the one FBI allegedly used against Tor users.”
Image: The report’s authors and Technische Universitat Darmstadt
The research team believes that Selfrando improves security over ASLR, and still preserves the features that are credited to ASLR. The slide to the right represents the usual workflow from the C/C++ source code to a running program with and without Selfrando.
“While technically challenging, our use of load-time function layout permutation ensures that the attack surface changes from one run to another,” write the authors. “Load-time randomization also ensures compatibility with code signing and distribution mechanisms that use caching to efficiently serve millions of users.”
Besides the above advantages, the researchers suggest that Selfrando contributes the following:
- Practical randomization framework: To its credit, Selfrando can be directly applied to the Tor Browser without any changes to the source code. “To the best of our knowledge, Selfrando is the first approach that avoids risky binary rewriting or the need to use a custom compiler, and works with existing build tools,” mention the authors. “Moreover, it is fully compatible with ASan, which required additional implementation effort since the randomization interferes with ASan.”
- Increased entropy and leakage resilience: Selfrando reduces the impact of information leakage vulnerabilities and increases entropy relative to ASLR, making Selfrando more effective against guessing attacks. The researchers add, “Use of load-time randomization mitigates threats from attackers observing binaries during download or after the executable files have been stored on disk.”
- Low overhead: As busy as Tor Networks are, the researchers were careful to ensure that Selfrando’s startup and performance overheads are negligible.
The researchers mention that Tor Project personnel are looking at a number of different opportunities to produce hardened builds of the Tor Browser. “We worked closely with their developers in order to make it easy to integrate Selfrando in the Tor Browser,” write the paper’s authors. “They [Tor Project personnel] plan to release a hardened version that includes Selfrando and to evaluate the inclusion of Selfrando in the normal version.”
If the Selfrando development team has its way, people at the Kilton Public Library will be able to “Live Free” and “Browse Free.”
The research team and report authors consisted of: Mauro Conti, Stephen Crane, Tommaso Frassetto, Andrei Homescu, Georg Koppen, Per Larsen, Christopher Liebchen, Mike Perry, and Ahmad-Reza Sadeghi.
Selfrando is available for use in other open-source projects at GitHub.